We need to call controller.protected for most of the oauth_calls.
With the exception of the public ones (create_request_token,
create_access_token, and authenticate_access_token).
Also need to update the policy.json accordingly.